Page 1 of 1
Prevent users from typing the url manually
Posted: Wed Sep 30, 2009 11:27 pm
by enchance
I'm a php noob and I wanted to ask if you guys know how to prevent users from typing a URL manually? The page isn't ready yet but it might be site.com/custom.php or something like that. To get to the page they need to type in a password which is relatively easy to do in PHP.
Advanced thanks to everyone.
Cheers,
John
Re: Prevent users from typing the url manually
Posted: Thu Oct 01, 2009 1:09 am
by Griven
Easier than password protecting is locking down by IP address. This is great for pages that are still in development.
First, get your IP address.
http://www.whatismyip.com/
Second, put this at the top of your PHP code:
Code: Select all
$ip = $_SERVER['REMOTE_ADDR'];
if ($ip != "<your ip address>") {
exit();
}
//Place the rest of your code here
This will make it so that any visitor whose IP address is different than your own will not see the page contents.
You cannot keep a user from typing in a specific address--that's quite impossible. You can, however, prevent them from seeing what you don't want them to see.
Re: Prevent users from typing the url manually
Posted: Thu Oct 01, 2009 1:29 am
by CodeGeek
You could do this:
Code: Select all
if($_POST[submit] = false)
{
echo "You have acessed this page incorrectly"
}
else
{
echo "Thank you for entering your password!"
}
I am new to coding but that should work. It asks if they clicked submit. If they didn't do show them the page. If they did show them.
Re: Prevent users from typing the url manually
Posted: Thu Oct 01, 2009 1:37 am
by dude81
I would rather suggest .htaccess protection, if you are using apache as your server which looks much pretty to me
Code: Select all
<Files custom.php>
Order deny,allow
Deny from all
AuthName "htaccess password prompt"
AuthType Basic
AuthUserFile /home/yourwebfolder/.htpasswd
Require valid-user
</Files>
and use following site generate user password list
http://www.htaccesstools.com/htpasswd-generator/
Thereby you can limit users not allowing custom.php in yourwebfolder
Re: Prevent users from typing the url manually
Posted: Thu Oct 01, 2009 10:07 am
by enchance
Your comments are all so exciting to read.

I'll try them all out and see which is which.
Re: Prevent users from typing the url manually
Posted: Thu Oct 01, 2009 12:48 pm
by requinix
What would be even better is if you developed on a machine that isn't your production server.
Re: Prevent users from typing the url manually
Posted: Thu Oct 01, 2009 1:37 pm
by enchance
Yes, I agree. I'm using XAMPP for my localhost. It's the best one out there.
Re: Prevent users from typing the url manually
Posted: Thu Oct 01, 2009 11:28 pm
by mybikeisgreen
Check the value of $_SERVER['REQUEST_METHOD']. If it's POST then they definitely didn't type it in manually.
Code: Select all
if ($_SERVER['REQUEST_METHOD']!='POST') {
exit();
}
Re: Prevent users from typing the url manually
Posted: Thu Oct 01, 2009 11:48 pm
by mybikeisgreen
You could also check the referrer. When you type in a URL manually the referrer is always blank.
But the most secure way to do this is with cookies. It's a little bit complicated, but after the correct password is entered you could do:
Code: Select all
$time = time();
setcookie('authorized', md5('[yoursecretphrase]'.$time));
setcookie('time', $time);
Then check the cookie, put the following on every protected page.
Code: Select all
if ($_COOKIE['authorized']!=md5('[yoursecretphrase]'.$_COOKIE['time'])) {
header($_SERVER['SERVER_PROTOCOL'].' 403 Forbidden');
echo '<title>403 Forbidden</title>'';
echo 'You are not authorized to view this page.';
}
Re: Prevent users from typing the url manually
Posted: Fri Oct 02, 2009 9:13 am
by lowcostweb
Code: Select all
if ($_SERVER['HTTP_REFERER'] == "")
{echo "you are not authorized";
exit();
}
this will check if page not accessed directly but only by clicking on a link or form submission.
http://www.cogitsolutions.com/blog/